CISOs: Striving Toward Proactive Security Strategies

CISOs are in a tough spot. Organizations are squeezed by cyber criminals, new compliance requirements, and bleeding-edge technologies that erode privacy and stability. The team that leads defense efforts is becoming a more and more vital player in the long-term survival of any organization that sells, uses, or produces information technology—that is to say, everyone. But what do we really know about CISOs and how they operate?

Download the full report now!

Several surveys talk about CISO salaries and job prospects, but we felt that the industry as a whole needed to fully understand what goes into the day-to-day job of a CISO. F5 and research firm Ponemon teamed to survey CISOs to draw as complete a picture as we could on the modern security executive. In the report, The Evolving Role of CISOS and Their Importance to the Business, we focus on key areas like budgetary control, organizational influence, decision rationale, and strategic methodology. In other words, how do CISOs succeed and how much power do they wield? We also delve into the background of CISOs and their experience, both in terms of technical capability and business savvy.

To cast a wide net, we interviewed senior level IT security professionals from 184 organizations in seven countries, tracking nearly 70 questions. We wanted a deep, unbiased look at the contemporary CISO. The results are eye-opening, and both encouraging and worrisome.

First, the discouraging news: security programs appear to be reactive: 60 percent of respondents said material data breaches and cyber security exploits are the primary drivers of change in security programs. And, just 22 percent of respondents say their organizations’ security function is integrated with other business functions. Perhaps most concerning, though, is that only 51 percent say their organization has an IT security strategy and, of those, only 43 percent say that strategy is reviewed, approved, and supported by C-level executives.

But there is good news, as well. Seventy-seven percent of respondents say their IT security operations are aligned with IT operations, although fewer respondents (60 percent) say they have achieved alignment of IT security operations with business objectives.

Furthermore, there are some promising trends in the day-to-day responsibilities CISOs hold. Most CISOs (67 percent) believe they should be responsible for setting security strategy, and the majority are influential in managing their companies’ cybersecurity risks, with 65 percent reporting to senior executives (that is, no more than three steps below the CEO on the organization chart). Over half (61 percent) set the security mission and are responsible for informing the organization about new threats, technologies, practices, and compliance requirements (60 percent). In the event of a serious security incident, more than half (60 percent) have a direct channel to the CEO.

These findings indicate both the challenges and the progress CISOs are making in today’s complex environment. I invite you to reflect on and discuss these findings with your peers. My hope is that we now have a foundation for more meaningful conversations with one another and have a greater impact on our organizations. I also hope the broader discussions we are driving here at F5 Labs are providing CISOs and future CISOs the tools to tackle this challenge.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Great! You should receive your first email shortly.

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.

About the author

Mike Convertino

Mike Convertino is Head of Technology and former CISO for F5 Networks. Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide array of organizations including the U.S. government, Fortune 500 companies, and security start-ups. Prior to joining F5, Convertino was previously the Chief Information Security Officer at CrowdStrike, where he was responsible for the security of both CrowdStrike's corporate network and its product platform.

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.

image/svg+xml

Subscribe and get threat intelligence updates from security leaders with decades of experience

Develop a richer understanding of your security environment with only one email per week.

Always have the latest security research and analysis at your fingertips.

Strategic insights from CISO-level experts give you deeper analysis than your peers who only rely on threat reports.

Subscribe and get threat intelligence updates from security leaders with decades of experience

Unsubscribe at any time. We will never use your email to sell to you or try to get you to use our product. You'll only receive security reports and analysis.